What are the security benefits or risks of HTTP/2?

Question

Since HTTP/2 is starting to get adopted by more and more sites everyday. Are there any security benefits or known risks regarding HTTP/2?

Multiplexing should make traffic analysis slightly harder. – CodesInChaos Mar 16 '17 at 22:15 — CodesInChaos, Mar 16 '17 at 22:15

score 3 · Accepted Answer · edited Oct 07 '21 at 07:59

RFC 7540 Section 10 is a security consideration section that documents a number of security considerations when implementing and/or using HTTP/2. Briefly:

10.1. Server Authority

10.2. Cross-Protocol Attacks

10.3. Intermediary Encapsulation Attacks

10.4. Cacheability of Pushed Responses

10.5. Denial-of-Service Considerations

10.5.1. Limits on Header Block Size

10.5.2. CONNECT Issues

10.6. Use of Compression

10.7. Use of Padding

10.8. Privacy Considerations

Most of the regular security considerations for HTTP/1 are also still valid, as HTTP/2 has the same application level semantic as HTTP/1.

score 2 · Answer 2 · answered Mar 17 '17 at 06:17

2

From a cryptographic point of view, HTTP/2 requires to support at least TLS1.2 which means the communication channel will be encrypted using AEAD ciphers i.e. state-of-the-art crypto.

answered Mar 17 '17 at 06:17

ATo

316
1
5

What are the security benefits or risks of HTTP/2?

2 Answers2